Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

protecting trade secrets in the era of cyberbreach

FEBRUARY 20, 2015
ONLINE
Protecting Trade
Secrets in the Era
of Cyberbreach
To balance the benefits and costs of
data security, ask “What is reasonable
protection for sensitive commercial data?
Matthew Prewitt, Law Technology News
A succession of high profile, large scale data breaches have
made cybersecurity a pressing concern for senior corporate
leadership. The headlines in the popular press have focused on
the risks that data breaches pose to ordinary consumers: identity
theft, financial fraud, and loss of personal privacy. Data security
is at least equally important, however, to protect a company’s own
confidential commercial information and trade secrets, and the
sensitive information that commercial partners and others entrust
to the company’s safekeeping. The theft of such highly valuable
commercial information can cause losses exceeding even the
largest consumer data breaches.
Data security, however, can carry substantial costs for business.
Apart from the direct investment in hardware and software and
qualified IT security professionals, enhanced security can carry
significant hidden costs by unintentionally impeding employee
efficiency, mobility, collaboration and creativity. To balance the
benefits and costs of data security, companies must ask “What is
reasonable protection for sensitive commercial data?” That was the
question posed to a panel at American Lawyer Media’s Seventh Annual
IP Trademark, Copyright & Licensing Counsel Forum in New York.
The panel, titled “Reasonable Efforts to Protect Trade Secrets in
the Era of Cyberbreach,” and moderated by Schiff Hardin partner
Matthew Prewitt, featured Kevin Cranman, general counsel at
Ericsson Television Inc.; Michael Tucker, chief patent counsel at
BorgWarner; and Phil Weis, director and senior employment counsel
at Boehringer Ingelheim. They discussed the evolving standards for
protecting confidential business information and building company
cultures that respect and understand data security.
Prewitt: Under the law of trade secrets, the security measures a
company provides for its sensitive information define the limits of
the company’s legal rights. Security policies and practices are not
protections against theft—they are legal signposts that say, “This is
the company’s property. It belongs to us.”
This topic is timely because technology is changing accepted
notions of reasonable security. E.I. duPont deNemours & Company
v. Rolfe Christopher, 431 F.2d 1012 (5th Cir. 1970), illustrates how
something as simple as a hobbyist’s toy can upend established
precedent. In that case, someone hired a pilot to fly near and
photograph an E.I. duPont deNemours & Company Inc. factory
under construction. DuPont, of course, saw this plane circling
overhead. They ran into court, won an injunction, and then ended up
before the 5th U.S. Circuit Court of Appeals. Had DuPont abandoned
its trade secret by not putting some type of cover over the factory
while it was under construction? The Fifth Circuit answered, “No,”
offering an explanation that resonates in this era of cyberbreach:
Perhaps ordinary fences and roofs must be built, but we need
not require the discoverer of a trade secret to guard against the
unanticipated, the undetectable, or the unpreventable methods of
espionage now available.
In 2014 an ordinary consumer can now purchase in a hobby
shop an inexpensive aerial drone equipped with a camera, capable
taking the same type of photographs at issue in the case, and so
small as to escape notice from the ground. Does this change the
result in DuPont v. Christopher?
Of course, the challenges for electronic data security are far
more difficult than this relatively simple illustration. What does
it mean, in 2014, to think about methods of incursion into the
company’s computer systems that, using the language of the Fifth
Circuit, are “unanticipated, undetectable, or unpreventable”?
What is the role of in-house counsel in trying to balance, on the
one hand, maintaining security and controls over the data, but on
the other hand, maintaining an appropriate corporate environment
where people can actually work together and make money?
FEBRUARY 20, 2015
ONLINE
Weis: In-house counsel’s job is to try to strike a balance between
two competing voices: those who wish to get work done freely
without restrictions and those who know that down the line, if the
company is going to have a chance of winning in court to protect its
trade secrets or enforce a confidentiality agreement, the company
must ensure that our truly secret data has been identified and
protected as such.
Cranman: An important part of in-house counsel’s job is to
solve problems, including how to guide the company in protecting
information and facilitating a structure in which employees can
achieve the company’s goals while protecting information.
Employees need to have a structure in place that they understand and
can actually comply with in their daily work. Even well intentioned
employees may test the limits of company policies if the policies
impede the work goals. We also have to assess the sophistication of
the company’s employees. Is this a high tech company where people
are going to understand nondisclosure agreements and trade secret
terminology? Or does in-house counsel need to begin at a more
basic level? One reason nondisclosure agreements are important
is because they help to educate and to sensitize employees to the
importance of data security.
Tucker: Despite changes in technology, the starting point for
protecting trade secrets is still getting a written nondisclosure
agreement in place. Part of the problem with NDAs, however, is the
temptation to draft very broad and vague definitions of what is protected
by the agreement. Unlike a patent, which discloses an invention in
detail, with very careful drafting and extensive third-party review by
the patent examiner, there is a real risk that a confidentiality agreement
will fail to provide sufficient notice of what specific information is truly
sensitive and requires the greatest protection.
Prewitt: In order to have collaboration and exchange
of information and also maintain security, most companies
should implement tiered levels of security. How do you deal
with the challenge of achieving meaningful, escalating security
classifications?
Cranman: A trade secret audit can help. It requires time and
effort, but the audit will help the company identify what needs to
be protected, prioritize levels of security, and educate employees.
I also recommend identifying a specific person within the
organization who is charged with overseeing security for trade
secrets and other sensitive information. Of course, who that
person should be will vary with the size of the company and the
complexity of its trade secrets, but there needs to be someone
making sure that information security does not fall between the
cracks. I will add that NDAs do add value. Earlier today, a colleague
on another panel questioned, perhaps with some humor, the value
of NDAs. While enforceability differs based on the law of the
jurisdiction and the facts of the case, I firmly believe that having
NDAs is an important step in the company creating a culture of
compliance for information protection by, for example, letting
employees, suppliers, and customers know that information
protection is important and having a tangible framework in the
NDA to help focus and remind people of the obligations.
Weis: Train your employees, and keep a record of the fact that
they were trained. Set up very simple categories that any employee
can understand, and save the last category for the most highly
protected stuff. When data security becomes an issue in litigation,
your weakest link is that deponent who you haven’t imagined is ever
going to be deposed, who will say, “Yeah, I think I took the training
one time years ago when I first got here. We just stamp every single
file ‘Confidential.’”
Prewitt: At some point, in order to monetize the trade secret
or to simply have the business work, the company has to share the
information with a vendor or customer or some other commercial
partner. What should the company be looking for when its trade
secrets are outbound, when the company is the disclosing party
under the nondisclosure agreement?
Cranman: You should consider including in the NDA some sort
of rules for identifying protected information and who can receive it.
If the information is disclosed as a written document, for example, it
should be marked as confidential. Restrictions that limit disclosure
to a specific set of employees are also appropriate in some cases.
We sometimes do NDAs that say, “These three people from our
company will be able to have access to this information, and these
three from the other company will have access to it.”
Tucker: The NDA should reflect reality. If only one party is
disclosing confidential information, then the agreement should
reflect that and should not be drafted as a mutual NDA. We sometimes
insist that a supplier commit to provide our company only public
information because we do not want the risk of being subject to
unexpected restrictions under a vaguely drafted mutual NDA.
Prewitt: How do you limit the company’s risk under an NDA
when it is the receiving party to whom trade secrets are disclosed?
Tucker: In that case, a key battle becomes how long are we as
the receiving party obligated to protect the trade secrets? Many
agreements provide that the obligation continues until the trade
secret is no longer a trade secret. I try to avoid that vague and openended standard. Is there a way to identify when protection for this
information can expire based on when the product is coming to
market, or some other anticipated public disclosure?
Prewitt: Sometimes attorneys are entrusted with vast amounts
of highly sensitive information. Any tips on how to make sure that
the company’s outside counsel doesn’t become the weak link in
data security?
Cranman: As is often the case, communication is pretty
important. The law firm needs to know that data security is important
to you as a client and that data security is part of your criteria for
selecting outside counsel. Data security requires a commitment from
the entire law firm to be effective, so in house counsel needs to be
vocal about this issue to make sure it has the attention of the law firm’s
management. Law firms should realize that data security can be a way
to develop and strengthen relationships and build client trust.
Weis: And of course the opposite is true, too. You don’t want to
be the law firm that has to send the client a letter advising of a data
breach. That is very quick way to lose a client.
Matthew Prewitt, partner at Schiff Hardin; Kevin Cranman,
general counsel at Ericsson Television Inc.; Michael Tucker, chief patent
counsel at BorgWarner; and Phil Weis, director and senior employment
counsel at Boehringer Ingelheim all contributed to this piece.
Reprinted with permission from the February 20, 2015 edition of Law
Technology News. © 2015 ALM Media Properties, LLC. All rights reserved.
Further duplication without permission is prohibited. For information,
contact 877-257-3382 or reprints@alm.com. #010-02-15-04
Related documents
Romeo and Juliet Postsecret
Romeo and Juliet Postsecret
Francis Bacon (17th C)
Francis Bacon (17th C)
NDA Discussion SFV 28 Jan 10
NDA Discussion SFV 28 Jan 10
Bruce CARTER - Fire Pros, LLC
Bruce CARTER - Fire Pros, LLC
Jan.-19th
Jan.-19th
Application for Continuance-Word
Application for Continuance-Word
Ruth E. Kim General Counsel, SVP and Sr . Partner Fleishman
Ruth E. Kim General Counsel, SVP and Sr . Partner Fleishman
Corporate Counsel, Regulatory Law
Corporate Counsel, Regulatory Law
Dear: - Dallas Asian American Bar Association
Dear: - Dallas Asian American Bar Association
Download